Saturday, July 18, 1998 Last modified at 1:58 a.m. on Saturday, July 18, 1998

Cyber code-breakers

Experts crack widely used data-scrambling method

WASHINGTON (AP) ? Armed with a custom-built computer worth less than $250,000, code-breakers competing in an industry contest cracked a widely used method for scrambling sensitive electronic data in less than three days. Critics denounced the feat as irresponsible, saying it could help computer criminals.

The exercise carried a clear political message over limits that the Clinton administration has placed on use of the most powerful data-scrambling software, which can be used within the United States but not shipped overseas.

The breakthrough, announced Friday, also alerted the financial industry, which uses encryption to protect records of credit-card transactions and bank transfers.

Kawika Daguio of the American Bankers Association said banks also use methods other than encryption for security and in some cases use a data-scrambling method that is exponentially more difficult to crack.

''This isn't devastating, but it's resulting in calls from CEOs ... all over the country,'' Daguio said.

Two previous successes at unscrambling similar electronic messages took, respectively, five months and 39 days and used many thousands of computers working together across the Internet to test each of roughly 72 quadrillion possible unlocking combinations.

The breakthrough attempt tested 88 billion possible combinations every second for 56 hours until it unlocked a message that had been scrambled using a government-approved method, called the Data Encryption Standard.

''It makes it perfectly clear that somebody could be and could have been doing this for a number of years,'' said Whitfield Diffie, a crypto expert and scientist at Sun Microsystems Inc.

The contest to crack the message was sponsored by RSA Data Security Inc. of San Mateo, Calif., which has endorsed use of virtually unbreakable data-scrambling products stronger than 56 bits, meaning its unlocking key is a sequence of 56 1s and 0s.

''I'm fairly certain that foreign governments will have built similar machines to this and they're using them to eavesdrop in on American communications,'' said Paul Kocher, president of Cryptography Research Inc. of San Francisco, which helped build the code-breaking computer.

Gene Kathol, chairman of the group that develops banking standards for electronic transactions, said it would be difficult for thieves to use the code-breaking technology to steal money.

''They've looked inside the egg, but they still have to get in the henhouse past the guard dog,'' Kathol said.

But Kathol also decried the effort and the publicity about its success as ''extremely irresponsible.''

''It's not in the best interest of the people to expose this,'' Kathol said. ''It's similar to putting a story on '60 Minutes' about how to steal a car.''

The Clinton administration prohibits encryption products stronger than 40 bits to be exported, although there are no limits on such software used domestically.

The successful computer, using 27 circuit boards each holding 64 computer chips, was built for the Electronic Frontier Foundation, a San Francisco-based nonprofit civil liberties group. It won $10,000 from RSA in the contest.

''EFF has proved what has been argued by scientists for 20 years, that DES can be cracked quickly and inexpensively,'' said John Gilmore, a board member for the foundation, which he co-founded in 1990. ''If a small nonprofit can crack DES, your competitors can, too.''

Rocke Verser, the cryptographer who led the five-month effort in June 1997 to unscramble a DES-encrypted message using thousands of computers across the Internet, called the three-day effort incredible.

''I was expecting it to be cracked pretty soon, but I had no idea it would be this quick,'' he said from his home in Colorado. ''It may be novel this year, but in two years that kind of custom hardware is going to be even more commonplace. It's certainly within the reach of organized crime and terrorists.''